From Inksters Solicitors

Tag Archives: protection of personal data

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”). The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018. There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended. However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved. Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant. However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground. One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11. These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime. Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests. It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all. The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children. In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now. Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law. Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information. Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11. In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

The Data Protection Bill has been winding its way through the legislative process since it was first introduced to the House of Lords in September 2017. Since then it has completed its passage through the House of Lords and is now being scrutinised by MPs in the House of Commons, having received its second Reading last week. I made some initial observations on the Bill shortly after it was first published and thought that it was about time that I revisited the general subject of the Bill.

The Bill has now reached the committee stage in the House of Commons and is being considered by a Public Bills Committee, the first meetings of which took place yesterday. You can read the first sitting, which took place yesterday the morning, in Hansard, meanwhile the second sitting, which took place yesterday afternoon, can be found in Hansard here.

There was a debate yesterday morning on a proposed amendment (‘new clause 12’) which would insert a new clause into the Bill incorporating Article 8 of the Charter of Fundamental Rights of the European Union. Article 8 of the Charter makes specific provision for the protection of personal data; the amendment was tabled by MPs from opposition parties and was resisted by the Government. The source of the government’s concern, as set out by the Minister of State yesterday, is that new clause 12 would, in the government’s view, create “a new and free-standing right”. The Minister went on to say that “[t]he new right in new clause 12 would create confusion if it had to be interpreted by a court.” This was contested by Liam Byrne MP, who moved the amendment. Mr Byrne noted that this was a refined version of an amendment that was unsuccessfully moved in the House of Lords. Mr Byrne described the suggestion that new clause 12 was creating a new and unfettered right as being “nonsense”. The amendment, while debated yesterday, was not put to a vote; decisions on whether to insert new clauses are not due to be taken until towards the end of the Committee’s consideration of the Bill. We will need to therefore wait to learn whether it is ultimately included in the Bill or not.

Some amendments were considered and agreed to yesterday, while some others were considered and not agreed to. In Clause 3 of the Bill, the definition of ‘processing’ has been amended to remove reference to ‘personal data’ and to replace it with ‘information’. This means that the definition of processing in the Data Protection Bill now reads: “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as”. This means that the definition of processing in Clause 3 of the Data Protection Bill differs from the definition within the GDPR.

The explanation proffered by the Minister in support of these amendments was that they were “designed to improve clarity and consistency of language.” The Minister argued that “the amendments ensure consistency with terminology in other legislation.” She also gave her view that the amendments have “no material impact on the use of the term “processing” in parts 2 to 7 of the Bill”.

Clause 7 of the Bill (which deals with the meaning of ‘public authority’ and ‘public body’) has also been amended so as to provide that Ministers, exercising their delegated powers to designate and undesignated (for the purposes of data protection law) public authorities and public bodies, can do so not simply by identifying specific bodies or organisations, but also by way of description. The changes effectively mean that the provisions in the Data Protection Bill work in the same way as the similar provisions do within the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002.

The controversial immigration exemption in paragraph 4 of Schedule 2 to the Data protection Bill saw a great deal of debate in the afternoon’s sitting. An amendment to remove the immigration exemption entirely from the Bill was moved and a division took place. The amendment to remove the exemption from the Bill was defeated by 10 votes to 9 and therefore the exemption remains in the Bill. The split was among party lines with the Government’s MPs successfully voting down the amendment with all MPs from opposition parties voting in favour of it.

It would not be possible to discuss everything that went on during the course of the committee’s two sittings yesterday, but I have tried to pick out some of the key aspects from yesterday’s proceedings. The amendment to the definition of processing seems to me to be rather odd and quite frankly unfathomable. Personal data is a well understood term within the field of data protection and privacy law. How the courts and Commissioner will interpret “information” is something that we will need to wait and see; if the amendment does in fact make no material change, then it will have been a completely pointless amendment.

I don’t see the controversy of the immigration amendment going away anytime soon. The Government is satisfied that the exemption strikes the right balance and is one that is permissible in terms of the GDPR. Campaign groups in opposition to the amendment say that it goes too far and, in any event, is unlawful as it is not permitted by the GDPR. It will certainly be interesting to see where matters go in that regard.

The attempt to replicate Article 8 of the EU Charter is an interesting proposal; one of the Government’s red lines in relation to the EU withdrawal process is that the EU Charter will cease to apply in the United Kingdom, how the effective inclusion of one article of the Charter would go down with certain members of Parliament is something that remains to be seen. Whether its inclusion will assist with the issue of ‘adequacy’ following the United Kingdom’s withdrawal from the European Union is debatable (for what it is worth, my initial reaction is it’s unlikely that it would have any bearing at all upon the question of adequacy).

The Committee’s consideration of the Bill is due to continue tomorrow (Thursday 15th March 2018) with sittings starting at 11:30am and again at 2pm. This is a large and complex Bill and the task of undertaking a line by line scrutiny of it is no easy task, especially in a timetable that will see this line by line scrutiny come to an end on 27th March 2018.